Add permissions required to start a Gnome session using gnome-session
and ConsoleKit.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/policykit.if | 19 +++++++++++++++++++
policy/modules/contrib/policykit.te | 9 +++++++--
policy/modules/contrib/wm.if | 5 +++++
3 files changed, 31 insertions(+), 2 deletions(-)
--- a/policy/modules/contrib/policykit.if 2017-09-29 19:01:55.177455647 +0200
+++ b/policy/modules/contrib/policykit.if 2017-10-06 20:26:16.020913014 +0200
@@ -87,6 +87,25 @@ interface(`policykit_run_auth',`
roleattribute $2 policykit_auth_roles;
')
+#######################################
+## <summary>
+## Send generic signals to
+## policykit auth.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_signal_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ ')
+
+ allow $1 policykit_auth_t:process signal;
+')
+
########################################
## <summary>
## Execute a domain transition to run polkit grant.
diff -pru a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
--- a/policy/modules/contrib/policykit.te 2017-09-29 19:01:55.177455647 +0200
+++ b/policy/modules/contrib/policykit.te 2017-10-06 20:38:00.347910134 +0200
@@ -152,8 +152,8 @@ optional_policy(`
# Auth local policy
#
-allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
-dontaudit policykit_auth_t self:capability sys_tty_config;
+allow policykit_auth_t self:capability { dac_override ipc_lock setgid setuid sys_nice };
+dontaudit policykit_auth_t self:capability { dac_read_search sys_tty_config };
allow policykit_auth_t self:process { getsched setsched signal };
allow policykit_auth_t self:unix_stream_socket { accept listen };
@@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut
kernel_read_system_state(policykit_auth_t)
kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
+kernel_dontaudit_search_sysctl(policykit_auth_t)
dev_read_video_dev(policykit_auth_t)
+domain_use_interactive_fds(policykit_auth_t)
+
files_read_etc_runtime_files(policykit_auth_t)
files_search_home(policykit_auth_t)
fs_getattr_all_fs(policykit_auth_t)
fs_search_tmpfs(policykit_auth_t)
+auth_read_shadow(policykit_auth_t)
auth_rw_var_auth(policykit_auth_t)
auth_use_nsswitch(policykit_auth_t)
auth_domtrans_chk_passwd(policykit_auth_t)
@@ -218,6 +222,7 @@ optional_policy(`
optional_policy(`
xserver_stream_connect(policykit_auth_t)
xserver_read_xdm_pid(policykit_auth_t)
+ xserver_rw_xsession_log(policykit_auth_t)
')
########################################
diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
--- a/policy/modules/contrib/wm.if 2017-09-29 19:01:55.209455647 +0200
+++ b/policy/modules/contrib/wm.if 2017-10-06 20:18:53.335914824 +0200
@@ -90,6 +90,11 @@ template(`wm_role_template',`
')
optional_policy(`
+ policykit_run_auth($1_wm_t, $2)
+ policykit_signal_auth($1_wm_t)
+ ')
+
+ optional_policy(`
pulseaudio_run($1_wm_t, $2)
')
')
On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
> Add permissions required to start a Gnome session using gnome-session
> and ConsoleKit.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/policykit.if | 19 +++++++++++++++++++
> policy/modules/contrib/policykit.te | 9 +++++++--
> policy/modules/contrib/wm.if | 5 +++++
> 3 files changed, 31 insertions(+), 2 deletions(-)
>
> --- a/policy/modules/contrib/policykit.if 2017-09-29 19:01:55.177455647 +0200
> +++ b/policy/modules/contrib/policykit.if 2017-10-06 20:26:16.020913014 +0200
> @@ -87,6 +87,25 @@ interface(`policykit_run_auth',`
> roleattribute $2 policykit_auth_roles;
> ')
>
> +#######################################
> +## <summary>
> +## Send generic signals to
> +## policykit auth.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`policykit_signal_auth',`
> + gen_require(`
> + type policykit_auth_t;
> + ')
> +
> + allow $1 policykit_auth_t:process signal;
> +')
> +
> ########################################
> ## <summary>
> ## Execute a domain transition to run polkit grant.
> diff -pru a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
> --- a/policy/modules/contrib/policykit.te 2017-09-29 19:01:55.177455647 +0200
> +++ b/policy/modules/contrib/policykit.te 2017-10-06 20:38:00.347910134 +0200
> @@ -152,8 +152,8 @@ optional_policy(`
> # Auth local policy
> #
>
> -allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
> -dontaudit policykit_auth_t self:capability sys_tty_config;
> +allow policykit_auth_t self:capability { dac_override ipc_lock setgid setuid sys_nice };
> +dontaudit policykit_auth_t self:capability { dac_read_search sys_tty_config };
> allow policykit_auth_t self:process { getsched setsched signal };
> allow policykit_auth_t self:unix_stream_socket { accept listen };
>
> @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut
>
> kernel_read_system_state(policykit_auth_t)
> kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
> +kernel_dontaudit_search_sysctl(policykit_auth_t)
>
> dev_read_video_dev(policykit_auth_t)
>
> +domain_use_interactive_fds(policykit_auth_t)
> +
> files_read_etc_runtime_files(policykit_auth_t)
> files_search_home(policykit_auth_t)
>
> fs_getattr_all_fs(policykit_auth_t)
> fs_search_tmpfs(policykit_auth_t)
>
> +auth_read_shadow(policykit_auth_t)
> auth_rw_var_auth(policykit_auth_t)
> auth_use_nsswitch(policykit_auth_t)
> auth_domtrans_chk_passwd(policykit_auth_t)
The above shadow addition shouldn't be necessary because of this
password check.
> @@ -218,6 +222,7 @@ optional_policy(`
> optional_policy(`
> xserver_stream_connect(policykit_auth_t)
> xserver_read_xdm_pid(policykit_auth_t)
> + xserver_rw_xsession_log(policykit_auth_t)
> ')
>
> ########################################
> diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
> --- a/policy/modules/contrib/wm.if 2017-09-29 19:01:55.209455647 +0200
> +++ b/policy/modules/contrib/wm.if 2017-10-06 20:18:53.335914824 +0200
> @@ -90,6 +90,11 @@ template(`wm_role_template',`
> ')
>
> optional_policy(`
> + policykit_run_auth($1_wm_t, $2)
> + policykit_signal_auth($1_wm_t)
> + ')
> +
> + optional_policy(`
> pulseaudio_run($1_wm_t, $2)
> ')
> ')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
Hello.
On the 9th of October 2017 20:51:39 CEST, Chris PeBenito <[email protected]> wrote:
>On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
>> Add permissions required to start a Gnome session using gnome-session
>> and ConsoleKit.
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/contrib/policykit.if | 19 +++++++++++++++++++
>> policy/modules/contrib/policykit.te | 9 +++++++--
>> policy/modules/contrib/wm.if | 5 +++++
>> 3 files changed, 31 insertions(+), 2 deletions(-)
>>
>> --- a/policy/modules/contrib/policykit.if 2017-09-29
>19:01:55.177455647 +0200
>> +++ b/policy/modules/contrib/policykit.if 2017-10-06
>20:26:16.020913014 +0200
>> @@ -87,6 +87,25 @@ interface(`policykit_run_auth',`
>> roleattribute $2 policykit_auth_roles;
>> ')
>>
>> +#######################################
>> +## <summary>
>> +## Send generic signals to
>> +## policykit auth.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`policykit_signal_auth',`
>> + gen_require(`
>> + type policykit_auth_t;
>> + ')
>> +
>> + allow $1 policykit_auth_t:process signal;
>> +')
>> +
>> ########################################
>> ## <summary>
>> ## Execute a domain transition to run polkit grant.
>> diff -pru a/policy/modules/contrib/policykit.te
>b/policy/modules/contrib/policykit.te
>> --- a/policy/modules/contrib/policykit.te 2017-09-29
>19:01:55.177455647 +0200
>> +++ b/policy/modules/contrib/policykit.te 2017-10-06
>20:38:00.347910134 +0200
>> @@ -152,8 +152,8 @@ optional_policy(`
>> # Auth local policy
>> #
>>
>> -allow policykit_auth_t self:capability { ipc_lock setgid setuid
>sys_nice };
>> -dontaudit policykit_auth_t self:capability sys_tty_config;
>> +allow policykit_auth_t self:capability { dac_override ipc_lock
>setgid setuid sys_nice };
>> +dontaudit policykit_auth_t self:capability { dac_read_search
>sys_tty_config };
>> allow policykit_auth_t self:process { getsched setsched signal };
>> allow policykit_auth_t self:unix_stream_socket { accept listen };
>>
>> @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut
>>
>> kernel_read_system_state(policykit_auth_t)
>> kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
>> +kernel_dontaudit_search_sysctl(policykit_auth_t)
>>
>> dev_read_video_dev(policykit_auth_t)
>>
>> +domain_use_interactive_fds(policykit_auth_t)
>> +
>> files_read_etc_runtime_files(policykit_auth_t)
>> files_search_home(policykit_auth_t)
>>
>> fs_getattr_all_fs(policykit_auth_t)
>> fs_search_tmpfs(policykit_auth_t)
>>
>> +auth_read_shadow(policykit_auth_t)
>> auth_rw_var_auth(policykit_auth_t)
>> auth_use_nsswitch(policykit_auth_t)
>> auth_domtrans_chk_passwd(policykit_auth_t)
>
>The above shadow addition shouldn't be necessary because of this
>password check.
I thought the same, but apparently it also needs to read shadow directly...
>> @@ -218,6 +222,7 @@ optional_policy(`
>> optional_policy(`
>> xserver_stream_connect(policykit_auth_t)
>> xserver_read_xdm_pid(policykit_auth_t)
>> + xserver_rw_xsession_log(policykit_auth_t)
>> ')
>>
>> ########################################
>> diff -pru a/policy/modules/contrib/wm.if
>b/policy/modules/contrib/wm.if
>> --- a/policy/modules/contrib/wm.if 2017-09-29 19:01:55.209455647
>+0200
>> +++ b/policy/modules/contrib/wm.if 2017-10-06 20:18:53.335914824
>+0200
>> @@ -90,6 +90,11 @@ template(`wm_role_template',`
>> ')
>>
>> optional_policy(`
>> + policykit_run_auth($1_wm_t, $2)
>> + policykit_signal_auth($1_wm_t)
>> + ')
>> +
>> + optional_policy(`
>> pulseaudio_run($1_wm_t, $2)
>> ')
>> ')
Regards,
Guido
Strictly speaking it's not polkit, but a strictly related package
called "polkit-gnome".
For your reference, it's the following getpwnam() call:
https://git.gnome.org/browse/PolicyKit-gnome/tree/src/polkitgnomeauthen
ticationdialog.c#n174
See also:
http://man7.org/linux/man-pages/man3/getpwnam.3p.html
Thus, we need auth_read_shadow(polkit_auth_t) in the Reference
Policy...
On Mon, 09/10/2017 at 20.59 +0200, Guido Trentalancia via
refpolicy wrote:
> Hello.
>
> On the 9th of October 2017 20:51:39 CEST, Chris PeBenito <pebenito@ie
> ee.org> wrote:
> > On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
> > > Add permissions required to start a Gnome session using gnome-
> > > session
> > > and ConsoleKit.
> > >
> > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > ---
> > > policy/modules/contrib/policykit.if | 19 +++++++++++++++++++
> > > policy/modules/contrib/policykit.te | 9 +++++++--
> > > policy/modules/contrib/wm.if | 5 +++++
> > > 3 files changed, 31 insertions(+), 2 deletions(-)
> > >
> > > --- a/policy/modules/contrib/policykit.if 2017-09-29
> >
> > 19:01:55.177455647 +0200
> > > +++ b/policy/modules/contrib/policykit.if 2017-10-06
> >
> > 20:26:16.020913014 +0200
> > > @@ -87,6 +87,25 @@ interface(`policykit_run_auth',`
> > > roleattribute $2 policykit_auth_roles;
> > > ')
> > >
> > > +#######################################
> > > +## <summary>
> > > +## Send generic signals to
> > > +## policykit auth.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`policykit_signal_auth',`
> > > + gen_require(`
> > > + type policykit_auth_t;
> > > + ')
> > > +
> > > + allow $1 policykit_auth_t:process signal;
> > > +')
> > > +
> > > ########################################
> > > ## <summary>
> > > ## Execute a domain transition to run polkit grant.
> > > diff -pru a/policy/modules/contrib/policykit.te
> >
> > b/policy/modules/contrib/policykit.te
> > > --- a/policy/modules/contrib/policykit.te 2017-09-29
> >
> > 19:01:55.177455647 +0200
> > > +++ b/policy/modules/contrib/policykit.te 2017-10-06
> >
> > 20:38:00.347910134 +0200
> > > @@ -152,8 +152,8 @@ optional_policy(`
> > > # Auth local policy
> > > #
> > >
> > > -allow policykit_auth_t self:capability { ipc_lock setgid setuid
> >
> > sys_nice };
> > > -dontaudit policykit_auth_t self:capability sys_tty_config;
> > > +allow policykit_auth_t self:capability { dac_override ipc_lock
> >
> > setgid setuid sys_nice };
> > > +dontaudit policykit_auth_t self:capability { dac_read_search
> >
> > sys_tty_config };
> > > allow policykit_auth_t self:process { getsched setsched signal
> > > };
> > > allow policykit_auth_t self:unix_stream_socket { accept listen
> > > };
> > >
> > > @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut
> > >
> > > kernel_read_system_state(policykit_auth_t)
> > > kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
> > > +kernel_dontaudit_search_sysctl(policykit_auth_t)
> > >
> > > dev_read_video_dev(policykit_auth_t)
> > >
> > > +domain_use_interactive_fds(policykit_auth_t)
> > > +
> > > files_read_etc_runtime_files(policykit_auth_t)
> > > files_search_home(policykit_auth_t)
> > >
> > > fs_getattr_all_fs(policykit_auth_t)
> > > fs_search_tmpfs(policykit_auth_t)
> > >
> > > +auth_read_shadow(policykit_auth_t)
> > > auth_rw_var_auth(policykit_auth_t)
> > > auth_use_nsswitch(policykit_auth_t)
> > > auth_domtrans_chk_passwd(policykit_auth_t)
> >
> > The above shadow addition shouldn't be necessary because of this
> > password check.
>
> I thought the same, but apparently it also needs to read shadow
> directly...
>
> > > @@ -218,6 +222,7 @@ optional_policy(`
> > > optional_policy(`
> > > xserver_stream_connect(policykit_auth_t)
> > > xserver_read_xdm_pid(policykit_auth_t)
> > > + xserver_rw_xsession_log(policykit_auth_t)
> > > ')
> > >
> > > ########################################
> > > diff -pru a/policy/modules/contrib/wm.if
> >
> > b/policy/modules/contrib/wm.if
> > > --- a/policy/modules/contrib/wm.if 2017-09-29
> > > 19:01:55.209455647
> >
> > +0200
> > > +++ b/policy/modules/contrib/wm.if 2017-10-06
> > > 20:18:53.335914824
> >
> > +0200
> > > @@ -90,6 +90,11 @@ template(`wm_role_template',`
> > > ')
> > >
> > > optional_policy(`
> > > + policykit_run_auth($1_wm_t, $2)
> > > + policykit_signal_auth($1_wm_t)
> > > + ')
> > > +
> > > + optional_policy(`
> > > pulseaudio_run($1_wm_t, $2)
> > > ')
> > > ')
Regards,
Guido
Hello again Christopher.
On Mon, 09/10/2017 at 20.59 +0200, Guido Trentalancia via
refpolicy wrote:
> Hello.
>
> On the 9th of October 2017 20:51:39 CEST, Chris PeBenito <pebenito@ie
> ee.org> wrote:
> > On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
> > > Add permissions required to start a Gnome session using gnome-
> > > session
> > > and ConsoleKit.
> > >
> > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > ---
> > > policy/modules/contrib/policykit.if | 19 +++++++++++++++++++
> > > policy/modules/contrib/policykit.te | 9 +++++++--
> > > policy/modules/contrib/wm.if | 5 +++++
> > > 3 files changed, 31 insertions(+), 2 deletions(-)
> > >
> > > --- a/policy/modules/contrib/policykit.if 2017-09-29
> >
> > 19:01:55.177455647 +0200
> > > +++ b/policy/modules/contrib/policykit.if 2017-10-06
> >
> > 20:26:16.020913014 +0200
> > > @@ -87,6 +87,25 @@ interface(`policykit_run_auth',`
> > > roleattribute $2 policykit_auth_roles;
> > > ')
> > >
> > > +#######################################
> > > +## <summary>
> > > +## Send generic signals to
> > > +## policykit auth.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`policykit_signal_auth',`
> > > + gen_require(`
> > > + type policykit_auth_t;
> > > + ')
> > > +
> > > + allow $1 policykit_auth_t:process signal;
> > > +')
> > > +
> > > ########################################
> > > ## <summary>
> > > ## Execute a domain transition to run polkit grant.
> > > diff -pru a/policy/modules/contrib/policykit.te
> >
> > b/policy/modules/contrib/policykit.te
> > > --- a/policy/modules/contrib/policykit.te 2017-09-29
> >
> > 19:01:55.177455647 +0200
> > > +++ b/policy/modules/contrib/policykit.te 2017-10-06
> >
> > 20:38:00.347910134 +0200
> > > @@ -152,8 +152,8 @@ optional_policy(`
> > > # Auth local policy
> > > #
> > >
> > > -allow policykit_auth_t self:capability { ipc_lock setgid setuid
> >
> > sys_nice };
> > > -dontaudit policykit_auth_t self:capability sys_tty_config;
> > > +allow policykit_auth_t self:capability { dac_override ipc_lock
> >
> > setgid setuid sys_nice };
> > > +dontaudit policykit_auth_t self:capability { dac_read_search
> >
> > sys_tty_config };
> > > allow policykit_auth_t self:process { getsched setsched signal
> > > };
> > > allow policykit_auth_t self:unix_stream_socket { accept listen
> > > };
> > >
> > > @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut
> > >
> > > kernel_read_system_state(policykit_auth_t)
> > > kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
> > > +kernel_dontaudit_search_sysctl(policykit_auth_t)
> > >
> > > dev_read_video_dev(policykit_auth_t)
> > >
> > > +domain_use_interactive_fds(policykit_auth_t)
> > > +
> > > files_read_etc_runtime_files(policykit_auth_t)
> > > files_search_home(policykit_auth_t)
> > >
> > > fs_getattr_all_fs(policykit_auth_t)
> > > fs_search_tmpfs(policykit_auth_t)
> > >
> > > +auth_read_shadow(policykit_auth_t)
By the way, the original polkit package also uses getpwnam() and
getspnam():
http://man7.org/linux/man-pages/man3/getpwnam.3.html
http://man7.org/linux/man-pages/man3/getspnam.3.html
It can be compiled with PAM support OR *shadow* support:
--with-authfw=<name> Authentication framework (none/pam/shadow)
See, for example:
https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenthel
per-shadow.c
Therefore, it seems that both polkit and polkit-gnome need
auth_read_shadow() in the policy (actual policy is incomplete).
I hope it helps...
> > > auth_rw_var_auth(policykit_auth_t)
> > > auth_use_nsswitch(policykit_auth_t)
> > > auth_domtrans_chk_passwd(policykit_auth_t)
> >
> > The above shadow addition shouldn't be necessary because of this
> > password check.
>
> I thought the same, but apparently it also needs to read shadow
> directly...
>
> > > @@ -218,6 +222,7 @@ optional_policy(`
> > > optional_policy(`
> > > xserver_stream_connect(policykit_auth_t)
> > > xserver_read_xdm_pid(policykit_auth_t)
> > > + xserver_rw_xsession_log(policykit_auth_t)
> > > ')
> > >
> > > ########################################
> > > diff -pru a/policy/modules/contrib/wm.if
> >
> > b/policy/modules/contrib/wm.if
> > > --- a/policy/modules/contrib/wm.if 2017-09-29
> > > 19:01:55.209455647
> >
> > +0200
> > > +++ b/policy/modules/contrib/wm.if 2017-10-06
> > > 20:18:53.335914824
> >
> > +0200
> > > @@ -90,6 +90,11 @@ template(`wm_role_template',`
> > > ')
> > >
> > > optional_policy(`
> > > + policykit_run_auth($1_wm_t, $2)
> > > + policykit_signal_auth($1_wm_t)
> > > + ')
> > > +
> > > + optional_policy(`
> > > pulseaudio_run($1_wm_t, $2)
> > > ')
> > > ')
Regards,
Guido
On Tue, 10/10/2017 at 21.38 +0200, Guido Trentalancia via
refpolicy wrote:
> Hello again Christopher.
>
> On Mon, 09/10/2017 at 20.59 +0200, Guido Trentalancia via
> refpolicy wrote:
> > Hello.
> >
> > On the 9th of October 2017 20:51:39 CEST, Chris PeBenito <pebenito@
> > ie
> > ee.org> wrote:
> > > On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
> > > > Add permissions required to start a Gnome session using gnome-
> > > > session
> > > > and ConsoleKit.
> > > >
> > > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > > ---
> > > > policy/modules/contrib/policykit.if | 19
> > > > +++++++++++++++++++
> > > > policy/modules/contrib/policykit.te | 9 +++++++--
> > > > policy/modules/contrib/wm.if | 5 +++++
> > > > 3 files changed, 31 insertions(+), 2 deletions(-)
> > > >
> > > > --- a/policy/modules/contrib/policykit.if 2017-09-29
> > >
> > > 19:01:55.177455647 +0200
> > > > +++ b/policy/modules/contrib/policykit.if 2017-10-06
> > >
> > > 20:26:16.020913014 +0200
> > > > @@ -87,6 +87,25 @@ interface(`policykit_run_auth',`
> > > > roleattribute $2 policykit_auth_roles;
> > > > ')
> > > >
> > > > +#######################################
> > > > +## <summary>
> > > > +## Send generic signals to
> > > > +## policykit auth.
> > > > +## </summary>
> > > > +## <param name="domain">
> > > > +## <summary>
> > > > +## Domain allowed access.
> > > > +## </summary>
> > > > +## </param>
> > > > +#
> > > > +interface(`policykit_signal_auth',`
> > > > + gen_require(`
> > > > + type policykit_auth_t;
> > > > + ')
> > > > +
> > > > + allow $1 policykit_auth_t:process signal;
> > > > +')
> > > > +
> > > > ########################################
> > > > ## <summary>
> > > > ## Execute a domain transition to run polkit grant.
> > > > diff -pru a/policy/modules/contrib/policykit.te
> > >
> > > b/policy/modules/contrib/policykit.te
> > > > --- a/policy/modules/contrib/policykit.te 2017-09-29
> > >
> > > 19:01:55.177455647 +0200
> > > > +++ b/policy/modules/contrib/policykit.te 2017-10-06
> > >
> > > 20:38:00.347910134 +0200
> > > > @@ -152,8 +152,8 @@ optional_policy(`
> > > > # Auth local policy
> > > > #
> > > >
> > > > -allow policykit_auth_t self:capability { ipc_lock setgid
> > > > setuid
> > >
> > > sys_nice };
> > > > -dontaudit policykit_auth_t self:capability sys_tty_config;
> > > > +allow policykit_auth_t self:capability { dac_override ipc_lock
> > >
> > > setgid setuid sys_nice };
> > > > +dontaudit policykit_auth_t self:capability { dac_read_search
> > >
> > > sys_tty_config };
> > > > allow policykit_auth_t self:process { getsched setsched
> > > > signal
> > > > };
> > > > allow policykit_auth_t self:unix_stream_socket { accept
> > > > listen
> > > > };
> > > >
> > > > @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut
> > > >
> > > > kernel_read_system_state(policykit_auth_t)
> > > > kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
> > > > +kernel_dontaudit_search_sysctl(policykit_auth_t)
> > > >
> > > > dev_read_video_dev(policykit_auth_t)
> > > >
> > > > +domain_use_interactive_fds(policykit_auth_t)
> > > > +
> > > > files_read_etc_runtime_files(policykit_auth_t)
> > > > files_search_home(policykit_auth_t)
> > > >
> > > > fs_getattr_all_fs(policykit_auth_t)
> > > > fs_search_tmpfs(policykit_auth_t)
> > > >
> > > > +auth_read_shadow(policykit_auth_t)
>
> By the way, the original polkit package also uses getpwnam() and
> getspnam():
>
> http://man7.org/linux/man-pages/man3/getpwnam.3.html
>
> http://man7.org/linux/man-pages/man3/getspnam.3.html
>
> It can be compiled with PAM support OR *shadow* support:
>
> --with-authfw=<name> Authentication framework (none/pam/shadow)
>
> See, for example:
>
> https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenth
> el
> per-shadow.c
>
> Therefore, it seems that both polkit and polkit-gnome need
> auth_read_shadow() in the policy (actual policy is incomplete).
But, because polkit-gnome *always* requires to read shadow, a boolean
seems absolutely useless in this case.
> I hope it helps...
>
> > > > auth_rw_var_auth(policykit_auth_t)
> > > > auth_use_nsswitch(policykit_auth_t)
> > > > auth_domtrans_chk_passwd(policykit_auth_t)
> > >
> > > The above shadow addition shouldn't be necessary because of this
> > > password check.
> >
> > I thought the same, but apparently it also needs to read shadow
> > directly...
> >
> > > > @@ -218,6 +222,7 @@ optional_policy(`
> > > > optional_policy(`
> > > > xserver_stream_connect(policykit_auth_t)
> > > > xserver_read_xdm_pid(policykit_auth_t)
> > > > + xserver_rw_xsession_log(policykit_auth_t)
> > > > ')
> > > >
> > > > ########################################
> > > > diff -pru a/policy/modules/contrib/wm.if
> > >
> > > b/policy/modules/contrib/wm.if
> > > > --- a/policy/modules/contrib/wm.if 2017-09-29
> > > > 19:01:55.209455647
> > >
> > > +0200
> > > > +++ b/policy/modules/contrib/wm.if 2017-10-06
> > > > 20:18:53.335914824
> > >
> > > +0200
> > > > @@ -90,6 +90,11 @@ template(`wm_role_template',`
> > > > ')
> > > >
> > > > optional_policy(`
> > > > + policykit_run_auth($1_wm_t, $2)
> > > > + policykit_signal_auth($1_wm_t)
> > > > + ')
> > > > +
> > > > + optional_policy(`
> > > > pulseaudio_run($1_wm_t, $2)
> > > > ')
> > > > ')
Regards,
Guido
On 10/06/2017 03:00 PM, Guido Trentalancia via refpolicy wrote:
> Add permissions required to start a Gnome session using gnome-session
> and ConsoleKit.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/policykit.if | 19 +++++++++++++++++++
> policy/modules/contrib/policykit.te | 9 +++++++--
> policy/modules/contrib/wm.if | 5 +++++
> 3 files changed, 31 insertions(+), 2 deletions(-)
>
> --- a/policy/modules/contrib/policykit.if 2017-09-29 19:01:55.177455647 +0200
> +++ b/policy/modules/contrib/policykit.if 2017-10-06 20:26:16.020913014 +0200
> @@ -87,6 +87,25 @@ interface(`policykit_run_auth',`
> roleattribute $2 policykit_auth_roles;
> ')
>
> +#######################################
> +## <summary>
> +## Send generic signals to
> +## policykit auth.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`policykit_signal_auth',`
> + gen_require(`
> + type policykit_auth_t;
> + ')
> +
> + allow $1 policykit_auth_t:process signal;
> +')
> +
> ########################################
> ## <summary>
> ## Execute a domain transition to run polkit grant.
> diff -pru a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
> --- a/policy/modules/contrib/policykit.te 2017-09-29 19:01:55.177455647 +0200
> +++ b/policy/modules/contrib/policykit.te 2017-10-06 20:38:00.347910134 +0200
> @@ -152,8 +152,8 @@ optional_policy(`
> # Auth local policy
> #
>
> -allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
> -dontaudit policykit_auth_t self:capability sys_tty_config;
> +allow policykit_auth_t self:capability { dac_override ipc_lock setgid setuid sys_nice };
> +dontaudit policykit_auth_t self:capability { dac_read_search sys_tty_config };
> allow policykit_auth_t self:process { getsched setsched signal };
> allow policykit_auth_t self:unix_stream_socket { accept listen };
>
> @@ -175,15 +175,19 @@ can_exec(policykit_auth_t, policykit_aut
>
> kernel_read_system_state(policykit_auth_t)
> kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
> +kernel_dontaudit_search_sysctl(policykit_auth_t)
>
> dev_read_video_dev(policykit_auth_t)
>
> +domain_use_interactive_fds(policykit_auth_t)
> +
> files_read_etc_runtime_files(policykit_auth_t)
> files_search_home(policykit_auth_t)
>
> fs_getattr_all_fs(policykit_auth_t)
> fs_search_tmpfs(policykit_auth_t)
>
> +auth_read_shadow(policykit_auth_t)
> auth_rw_var_auth(policykit_auth_t)
> auth_use_nsswitch(policykit_auth_t)
> auth_domtrans_chk_passwd(policykit_auth_t)
> @@ -218,6 +222,7 @@ optional_policy(`
> optional_policy(`
> xserver_stream_connect(policykit_auth_t)
> xserver_read_xdm_pid(policykit_auth_t)
> + xserver_rw_xsession_log(policykit_auth_t)
> ')
>
> ########################################
> diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
> --- a/policy/modules/contrib/wm.if 2017-09-29 19:01:55.209455647 +0200
> +++ b/policy/modules/contrib/wm.if 2017-10-06 20:18:53.335914824 +0200
> @@ -90,6 +90,11 @@ template(`wm_role_template',`
> ')
>
> optional_policy(`
> + policykit_run_auth($1_wm_t, $2)
> + policykit_signal_auth($1_wm_t)
> + ')
> +
> + optional_policy(`
> pulseaudio_run($1_wm_t, $2)
> ')
> ')
Merged.
--
Chris PeBenito